SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Story image

CISA mandates secure cloud baselines for US agencies

Yesterday

The Cybersecurity and Infrastructure Security Agency (CISA) has introduced a new directive mandating federal agencies to adopt Secure Cloud Business Applications (SCuBA) Secure Configuration Baselines, beginning with Microsoft 365.

The directive, named Binding Operational Directive 25-01, aims to bolster the security framework of federal agencies utilising cloud and SaaS services, addressing the growing threat of evolved cyber-attack tactics targeting these environments. The directive comes with three compliance deadlines set for February, April, and June 2025, emphasising the urgency of the task.

Cory Michal, Chief Security Officer at AppOmni, commented on the significance of the directive, stating, "This directive is a much-needed step to improve the organizational security posture of federal agencies leveraging cloud services and SaaS services. By mandating the adoption of the SCuBA Secure Configuration Baselines, the directive provides a standardized approach to securing SaaS applications and guides agencies to focus on proactive risk mitigation. It aligns with broader cybersecurity initiatives such as zero trust architecture and continuous monitoring. The success of the mandate will depend on effective implementation, deployment of appropriate security tooling and agency adoption."

The directive prescribes actionable measures such as the adoption of secure baselines, automated compliance tooling, and integration with security monitoring systems. These steps are in line with modern security models aimed at strengthening the security of the new attack surface presented by SaaS applications.

Cory Michal highlighted both the practicality and challenges of the directive: "The requirements are reasonable, as the directive focuses on practical, actionable measures like adopting secure baselines, automated compliance tooling, and integration with security monitoring systems. These are foundational steps that align with modern SaaS and cloud security models following the Identify, Protect, Detect and Respond methodology, allowing organizations to embrace and secure this new attack surface."

However, Michal also pointed out significant hurdles, including deadlines, funding, and skillset shortages, that agencies may face in complying with the directive. Many agencies may lack the skilled personnel and financial resources necessary to implement and manage these security measures.

"Deadlines, lack of funding and lack of adequate skillsets will be the main challenges in meeting these requirements. Many agencies have limited expertise in SaaS management and may struggle to meet deadlines due to lack of skilled personnel to implement and manage baselines and inadequate funding for necessary tools and monitoring systems," Michal noted.

The introduction of SCuBA baselines is viewed as an essential initial step for agencies. However, ongoing risk assessment and the integration of detection and response programmes are necessary to maintain security in critical SaaS applications.

Michal emphasised the importance of continuous improvement: "SCuBA baselines are a good starting point, but continuous risk assessment and integration with existing detection and response programs for all critical SaaS apps should be implemented to improve and maintain SaaS estate security posture."

With SaaS applications becoming an increasingly attractive target for threat actors due to their widespread use and accessibility, the security of these platforms is of crucial importance. Federal agencies face heightened risks, as any compromise could have implications for national security.

"SaaS applications have become the new attack surface for organizations and government agencies, as their widespread adoption introduces unique vulnerabilities that traditional security measures cannot fully address. These platforms store sensitive data, facilitate critical workflows, and are accessible from anywhere, making them prime targets for threat actors," Michal elaborated.

Addressing the vital nature of CISA's recent directive, Michal remarked, "For government agencies, the stakes are even higher, as adversaries can exploit these weaknesses to compromise national security and critical operations. CISA's measures, like the SCuBA Secure Configuration Baselines, are desperately needed to establish robust security postures for SaaS tenants, ensuring that agencies can mitigate risks and defend against increasingly sophisticated attacks in the cloud."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X